This chapter is a short detour away from Webmin to cover a closely related tool called Usermin. The two tools have a lot in common, and are often used together to provide a multi-tiered GUI for users and administrators. The commonalities begin with the fact that both were written and are maintained by Jamie Cameron. They share much of the same code base, and the operation of Usermin closely parallels that of Webmin.
Because the Usermin modules are so closely related to the modules in Webmin, it would be pointless to cover them in detail here. What the chapter will cover is the Usermin Configuration module in Webmin, document the modules that do diverge from similar Webmin modules or simply do not exist in Webmin, and provide some discussions about using Webmin and Usermin in real environments with examples to help make the best use of them. Compared to Webmin, Usermin is severely limited, but it is just those limitations that make it ideal for a certain class of problem and so those will be the problems that will be discussed along with how Usermin can help solve them.
The differences begin with the intention of each. Webmin is used primarily by system administrators, and it provides unlimited power to the logged-in administrator unless permissions are explicitly restricted. Usermin, on the other hand, is used primarily by system users, and the powers of a logged-in Usermin user are by default limited to only the permissions of a normal user. Specifically, Usermin provides access to a web-based mail client, a Java file manager applet, SSH configuration and client modules, GnuPG encryption and decryption, mail forwarding, changing passwords, cron jobs, and a simplified web-based command shell.
Note | |
---|---|
PAM is an acronym for Pluggable Authentication Modules. It allows easier integration of a variety of authentication technologies without requiring all authenticating software to be modified to support each authentication type. Modules are available for a vast array of authentication methods, including LDAP, Kerberos, RSA, and UNIX passwd and shadow files. It is widely deployed on most major Linux distributions, Solaris versions 2.6 and above, and is available as packages or in source form for FreeBSD and HP-UX. |
Before you can use Usermin, you will have to install it. Unlike Webmin, at the time of this writing no major Linux distribution or UNIX vendor is including Usermin in its standard installation or offering it as an optional package. This will certainly change in time, and OS vendors may be installing it by the time you read this. Check with your vendor for packages, or simply download it from the Usermin website.
Installing Usermin is just about like installing Webmin, with the one exception that it is recommended to install the Authen-PAM Perl module before installation of Usermin. So first it will be necessary to check for, and possibly install this Perl module. The easiest way to check for a Perl module is to use a command like the following:
[root@grover root]# perl -e 'use Authen::PAM; print "Success!\n"'
If this module is available, you will see only the word "Success!" printed on the next line. If the module is not installed, a number of errors will result instead. If you have success with the module check, proceed to the next section. If not, visit the Comprehensive Perl Archive Network (CPAN for short) at www.cpan.org. Use the search function to find the latest version of Authen-PAM, download it, and follow the instructions in the README file that is included. Briefly, all CPAN Perl modules are installed in the same simple way.
First generate a makefile by running the Makefile.PL file, as follows:
[root@grover Authen-PAM-0.13]# perl Makefile.PL
If successful, run make and make install.
[root@grover Authen-PAM-0.13]# make
[root@grover Authen-PAM-0.13]# make install
Next, use the Perl command suggested at the beginning of this section to test for the availability of the module. Then add a PAM service called usermin in the appropriate location. Under many Linux distributions, this involves creating a file named /etc/pam.d/usermin that contains the following:
#%PAM-1.0
auth required pam_unix.so shadow nullok
account required pam_unix.so
password required pam_unix.so shadow nullok use_authtok
session required pam_unix.so
Now the installation of Usermin should proceed smoothly.
Note | |
---|---|
You may be able to download a package of Authen-PAM for your operating system, which is usually preferable from a system maintenance perspective. Also, if you use an RPM based Linux distribution, you may be able to use cpanflute or cpanflute2 to automatically generate a package from the Perl module, if your vendor doesn't provide a package for you. The use of cpanflute is not discussed in this book. However, it is worth looking into if you frequently install Perl modules, because it makes generating Perl module RPMs a simple and painless process. |
Lucky for us, Usermin is free under a BSD style license, just like its more powerful sibling. It can be downloaded for free from the Usermin site or one of its mirrors. For reference the primary Usermin site is www.usermin.com. Like Webmin, Usermin is available in a tarball, as well as an RPM for Red Hat, MSC Linux, Caldera, Mandrake and SuSE. Unlike Webmin, there is currently no Solaris package of Usermin. Choose the most appropriate option for your system.
Depending on the installation method, you follow similar steps as you did for installing Webmin. For the tarball, copy it to the desired installation location (usually /usr/local), unzip it, untar it, and run the setup.sh script:
[root@delilah /root]# cp usermin-0.6.tar.gz /usr/local
[root@delilah /root]# cd /usr/local
[root@delilah local]# gunzip usermin-0.6.tar.gz
[root@delilah local]# tar xf usermin-0.6.tar
[root@delilah local]# cd usermin-0.6
[root@delilah local]# ./setup.sh
The install script will ask a series of questions, for most of which you should accept the default values. After the installation script finishes running, you will be able to log in to the Usermin server on port 20000.
Installing from an RPM package is, just like with Webmin, even easier than installation from the tarball. When installing from a package, it is still necessary to insure you have the PAM Perl module as documented previously (if you will be using it). Then use the following command for an RPM installation:
[root@delilah /extra]# rpm -Uvh usermin-0.6-1.noarch.rpm
The RPM will automatically run the installation script with sensible defaults and start the Usermin server on port 20000.
You configure Usermin, perhaps paradoxically, from within Webmin. Clicking on the Usermin Configuration icon under the Webmin tab displays a few rows of icons of Usermin options, which are very similar in form and function to those of the Webmin Configuration module (Figure 4.1, “Usermin Configuration index”). There are far fewer configurable options, of course, but because Usermin is based on the same web server framework as Webmin (miniserv.pl, specifically), it provides all of the same access control and security mechanisms.
On first entering this module, all that is displayed is a page listing all of the Usermin modules that have configurable options. Clicking on a module name will open a page that contains the configuration options for the selected module.
GnuPG (Gnu Privacy Guard, or gpg for short) is a complete and Free Software implementation of the encryption standards originally provided by PGP (Pretty Good Privacy, a commercial product). It does not rely on the patent-encumbered IDEA algorithm, so it can be used with no restrictions for commercial or non-commercial purposes. GnuPG provides strong encryption and digital signatures of several types for email and files. Using GnuPG strong encryption it is possible to send a private email with confidence that only the recipient can decrypt the message. Additionally, a message may be digitally signed, allowing confirmation of sender identity and verification of the contents of the message (i.e., it confirms this actually is the message as it was composed by the sender and it hasn't been modified in some way during transit).
This module only has one configurable option, the keyserver which is used for sending and receiving key files. If you use GnuPG to confirm signatures, it is necessary to use central keyservers so that identities can be looked up in a centralized database. In this way, a web of trust can be woven between individuals who can confirm the identity of others. Because there are a large number of public keyservers available all over the world, and they synchronize their data, it is a good idea to choose one near you.
Webmin and Usermin support a number of different mail transfer agents (MTAs), namely Sendmail, Postfix, and Qmail. This option should be set to the mail transfer agent that your server uses. Postfix is not listed as an option, however, because Postfix is entirely Sendmail-compatible from a user perspective. Simply select Sendmail if Postfix is the MTA, and everything will work as expected.
The Usermin Read Mail module offers users a complete, if basic, web-based mail client. It allows allows the user to send and receive mail, as well as keep a simple address book, and digitally sign or encrypt messages. For this module there are a number of configurable options, as shown in Figure 4.2, “Configurable options for Read Mail” and Figure 4.3, “Default user preferences for Read Mail”.
- Default hostname for From: addresses
This is the host name that will be included in the mail headers in the From field. If you wish all mail from your domain to be addressed from just the domain name (rather than, for example, mail.domain.com) you may enter it here. Entering domain.com will cause all mail sent from this machine using the Usermin mail client to appear to be from domain.com.
- Allow editing of From: address
If Yes the user can enter any address they choose in the From field. If No, all mail will be marked as originating from the domain you chose in the previous option. It may be appropriate to permit this change, if clients have their own domain names, or would like to be able to primarily use another address and do not won't to keep up with replies to another mailbox.
- From: address mapping file
When hosting virtual domains, it may be useful to have the From: address set to the appropriate user@virtualdomain.com address rather than that of the real username and the domain of the system. This option sets Usermin to choose the correct address from a domain mapping file, usually the generics table.
- Mail storage format
Like that of the Mail Forwarding configuration above, this selection should match that of the MTA that is running on your server. You can choose Sendmail style single file if Postfix is the installed MTA.
- Sendmail mail file location
Here you select the location of your mail storage directories. This is usually located in /var/spool/mail, and another common option is to deliver it to the users home directory into mbox. This depends on the configuration of your mail delivery system (which may or may not actually be Sendmail). Postfix can use Sendmail compatible mail delivery options and so requires no special configuration here.
- Sendmail file in home directory
If mail is stored in the users home directory, specify the filename for the inbox here. Often this is mbox, but some mail servers or mail clients may choose something different. Often the inbox is not in the users home directory at all, and so this option isn't always necessary.
- Qmail or MH directory location
If using Qmail of MH, specify the location of the system mail storage directory here. QMail and MH use custom mail storage formats that are implemented as one-mail-per-file, as opposed to the traditional mbox format which puts all emails into a single file. This is thought to provide better performance and better reliability by some administrators and developers.
- Qmail or MH directory in home directory
If mail is stored in the users home directory rather than in the system mail spool directory, you may specify the location here. Often, this will be the Maildir directory, though it could be something else.
- Mail subdirectory style
Some mail delivery agents allow the mail spool directory to be divided into multiple subdirectories in order to ease management and accomodate limitations of some UNIX filesystems. If your delivery agent does not deliver all mail to a single mail spool directory, and instead delivers to users spread across many subdirectories, you may configure that here.
- POP3 or IMAP server name
In addition to reading local mail, Usermin can retrieve email from a POP3 or IMAP server. If your mail spool is located on a remote server, you can specify it here.
- Send mail via connection to
Selects how Usermin will send mail. It can be sent to any local mail transport agent or a remote SMTP server. By default this is the sendmail executable, but several alternatives exist.
- Sendmail command
The location of your MTA executable. This is the command that will be called when Usermin sends mail, unless configured to send via a remote SMTP server.
- Allow attaching of server-side files?
This allows users to attach files that are located on the local machine (on which Usermin is running). This could potentially be a minor security risk, because the user could then attach any file for which they have read permissions. This setting applies to all users, and is not configurable by the user.
- Minimum mail file size to index
For performance reasons, Usermin can be configured to create an index file of email in a users mailbox. It is usually unnecessary unless the mailbox is rather large, so you may configure the minimum size of a mailbox that Usermin will index.
- Global address book file
Usermin provides a simple address book for users to store email addresses. If specified here, a global address book can be created that can be shared among all Usermin users on the system. This can be useful for companies that have a lot of employees, and require frequent email interactions.
The lower portion of the Read Mail page (Figure 4.3, “Default user preferences for Read Mail”) is devoted to configuring the default user preferences for the module.
- Users can edit preferences
If you would like to prevent users from modifying their preferences for the Read Mail module, you may specify No here. By default, the user will have the preferences you specify here, but they can change any of them. Some options, like line-wrap widths and number of mail messages to display at once, allow changes that would make the mail client more suitable for different environments, such as palm-sized access devices. Others are merely matters of personal preference.
- Mail messages to display per page
This option is pretty much self-explanatory. You may choose to display more or fewer messages, which can be useful if clients are using small display devices for using the web mail client and too many lines makes browsing messages in the Inbox cumbersome. You are configuring the system-wide default here. Users can alter this setting, and all of the following Read Mail display-related options for their own account.
- Width to wrap mail messages at
Again, your users may find this option useful for small displays, such as handheld computing devices. The default is 80 chracters per line.
- Show buttons at top for
Selects on which pages the Delete, Mark message as, and Forward buttons will be displayed at the top of the page. By default, these buttons appear at the top and bottom of the mailbox pages, and only at the bottom on the view mail page. If large mails are common, your users may find it convenient to display buttons at the top of both. If your users don't have a lot of screen real estate (such as a palm-sized device, for example) you might not want to display buttons at the top of any page.
- Show To: address in mailboxes?
This option allows you to select whether the mailbox page will display the To: field. It's useful if a mailbox receives messages with different email addresses via mail aliases.
- Don't MIME encode messages if text only?
If set to Yes, messages that contain no binary files will not be MIME encoded. MIME encoding is a means to transmit data and text that falls outside of the 7-bit ASCII that is permitted in plain text emails.
- Mailboxes directory under home directory
Mail folders will be created by Usermin for storage of sent mail, drafts, and custom folders. These folders will be created in the users home directory within the subdirectory specified here.
- Treat mailbox subdirectories as
If there exists other subdirectories within the directory specified above, Usermin can consider them as folders, or as subdirectories, as specified here.
- Save sent mail
If selected, mail sent by users via the Read Mail module will be saved in a sent mail folder in the users home directory.
- Automatically mark read messages
Messages that have been read will be marked with a check mark, if this option is set to Yes.
- Default folder file
This selects the folder that will be displayed when the user first opens the Read Mail module. By default this is the inbox for the user.
- Show image atachments as thumbnails
If selected, and the appropriate libraries are available, image attachments will be displayed as thumbnails. Clicking on the thumbnail will display the full-sized image.
- Sort address book by
Address book entries can be sorted alphabetically by the real name or the email address, or they can be sorted chronologically by the order in which they have been added.
- Include real name in From: address?
If available, the users real name can be included in the from field of messages being sent using the Read Mail module.
- Character set for sent mail
MIME mail messages may contain characters from several character sets. This option specifies the default character set for sent mail. Locations with native languages other than English and other romance languages may wish to change this to a different character set.
- Ask for confirmation before deleting
This option configures the level of confirmation required when deleting emails and folders. If set to Yes, every delete request will have to be confirmed. If set to No, email deletions will not require confirmation.
- Signature file
If specified, the user may have a signature file that will be automatically appended to every email composed. Traditionally, the filename for signature files is .signature in the users home directory, but any filename may be specified.
The Running Processes module in Usermin allows users to view all of the processes they are running. There are a couple of configurable options here.
- Default process list style
The options correlate to the modes of the ps command. Therefore, it allows output forms, such as a process tree (where parent/child relationships are clear) as well as simpler process lists.
- PS command output style
This option should match the OS on which Usermin is running, as it chooses how to parse the output of the ps command. However, if your system uses a custom variant of this command, you may need to modify this to an OS that provides a similar ps.
The Cron Jobs module allows users to create their own scheduled tasks to be performed automatically by the system at a specific time. The commands are performed with the permissions of the user that configured them.
- Crontab Directory
This should be set to the directory where cron looks for its crontab files.
- Command to read a user's cron job
Some crontab versions may use slightly different command line options, or you may use a special-purpose wrapper for cron. Here you can select the command and options for reading a user's crontab.
- Command to edit a user's cron job
Similar to the above Command to read a user's cron job, except it configures the command to edit a user's crontab.
- Command to accept a user's cron job on stdin
crontab can usually accept input from the standard input also, if the - pseudo-filename is given on the command line.
- Command to delete a user's cron jobs
This option sets the command Usermin will use to delete a users crontab entries.
- Cron supports input to cron jobs
This option configures whether Usermin will provide a text entry box so that the user can provide data to the command being run via standard input. The command being run must accept data from standard input.
- Path to Vixie-Cron system crontab file
This should be the path to your system-wide crontab. Generally, it would be /etc/crontab.
- Path to extra cron files directory
Many systems make use of an extra cron directory for program specific cron jobs to execute when cron runs. This is likely /etc/cron.d.
- run-parts command
The run-parts command is often run in the system crontab file, and is used to specify other directories to run at specified times. For example, on a Red Hat Linux system the crontab contains:
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly
The previous example sets a few defaults in the cron environment, and executes run-parts at a few specified times. Specifically, the /etc/cron.hourly file is executed at 1 minute after every hour. run-parts is simply the program that processes the specified directory and executes all of the commands in it.
Much like the Webmin module selection page, this page allows you to select which modules will be available to users. If, for example, you do not want users to have any direct filesystem access, you could disable the Command Shell, File Manager, and SSH/Telnet Login. The SSH Configuration and Login Script are then useless, so may be disabled as well.
It has probably become quite clear that Usermin and Webmin are strikingly similar in many ways, and Usermin has very little that Webmin does not. So, why use it? Why not simply give everyone access to Webmin, and simplify life for everyone? There is no way to answer that question fully without analyzing the environment in which the system is deployed. Under some circumstances, Usermin would be useless while requiring additional resources to install and run it. But in other circumstances, Usermin can be a valuable addition to an administrators toolkit.
Usermin is at its most useful when the server is being used by a large number of unprivileged users, and administration of those users needs to be simplified. Before Usermin, it was possible to grant users access to Webmin to read their mail, change passwords, and perform a few normal user functions, and that functionality is still there. One could use Webmin for the same purposes by constructing elaborate ACLs and groups and being careful to configure those new users with just those permissions. However, this leaves some room for administrator error, which could have dramatic consequences. Usermin, on the other hand leaves no room for error. A Usermin user has the permissions of the user that is logged in and no more. The user can't accidentally receive additional rights, and so a careful selection of available modules is not needed to insure security and ease of use (because, let's face it, many users can become quite confused by too many complicated options).
Another good use for Usermin is to provide an easy method for users who travel to read their mail, and retrieve files from their own home directories. By providing a web interface to the local machine (and via network file servers, potentially all of a users data) telecommuters can do all of these things from any web-enabled device in the world. In other words, users can login to the local network from an Internet cafe, an Internet kiosk at trade shows, or from a wireless web device. Doing so requires no specialized software to be installed on the client system.
Another interesting use for Usermin would be in a shared-hosting environment, allowing users the ability to view their own directory, upload files via a web browser, edit many of the basic features of their shell account, read mail, and so forth. It wouldn't be difficult to implement a few nifty extras such as running a web log analysis tool and allowing users to view the results from within Usermin.
Tidak ada komentar:
Posting Komentar